WSTEP enrollment can use Kerberos authentication to authenticate Windows endpoints. For cross-forest deployments, Windows endpoints are located using Kerberos V5 LDAP referrals. The domain controller (Active Directory Domain Services), maintains referral data in its Configuration container, in crossRef objects. For more information about referrals, see the Microsoft documentation.
For cross-forest deployments with WSTEP enrollment, you must manually add a crossRef object into the domain controller for each cross-forest domain that you must support.
To add a cross-forest referral in a domain controller for cross-forest deployments
- Open ADSI Edit. Select Start > Windows Administrative Tools > ADSI Edit.
- Connect to the Configuration context.
- Select Action > Connect to.
A Connection Settings dialog box appears.
In the Name field, enter a unique name for the connection.
Under Connection Point, click Select a well known Naming Context, and then select Configuration.
Under Computer, click Select or type a domain or server, and then enter the server and port of the domain controller, using the form
<server>:<port>. If you are on the server hosting the domain controller, you can enterlocalhostfor<server>.Click OK.
- Select Action > Connect to.
Expand the configuration connection that you just created.
Expand CN=Configuration,<suffix> > CN=Partitions.
Where <suffix> is the suffix (distinguished name) of the domain controller.- Select CN=Partitions, and then select Action > New > Object.
A Create Object dialog box appears.
- Select crossRef.
- Click Next.
- In the Value field, enter the NetBIOS name of a cross-forest domain.
- Click Next.
- In the Value field, enter the distinguished name of the cross-forest domain.
- Click Next.
- In the Value field, enter the DNS name of the cross-forest domain.
- Click Next.
- Click Finish.
A crossRef object is added for the cross-forest domain. - Repeat this procedure for each cross-forest domain the domain controller must support for cross-forest referrals.